Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

My Logfile Please Help! [RESOLVED]

Greg Hill

Posted 22 November 2005 - 04:29 AM

Greg Hill

New Member

Member

4 posts

Hi there,

Ended up at the wrong website looking for an audio app. I ended up with a few trojans, I've run my anti-virus plus all the apps recommended by Geekstogo. Nothing found - looks clean - but my Explorer is now very slow (especially opening My Computer - the torch looks for a good 30sec) and I still get the occassional pop-up even though my pop-up blocker is on (edit...no pop-ups for 2 hours now :-)).

Advertisements

Crustyoldbloke

Posted 22 November 2005 - 10:39 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello Greg and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have just a little malware. Let’s see what we can do with the first sweep.

You do not appear to have any antivirus programme running on your PC; we must correct that immediately.

Install AVG, update its virus definitions and perform a full system scan before proceeding any further.

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update Ewido.Ewido manual updatesDo NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

C:\WINDOWS\GIGATEMP\

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look.(2 logs in total – also please turn off word wrap in Notepad, it provides a scattered HJT log and they are difficult enough normally).

Crustyoldbloke

Posted 23 November 2005 - 03:00 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello again Greg

Apologies, I can see your AV programme, I just missed it before (another senior moment). Your HJT log looks good. To check your logon rights, navigate to User Accounts in the Control Panel and check them there. I see that Ewido Guard is running, please disable the guard option from within Ewido.

For this sweep, I want to search a little deeper to see if we have a rootkit infection.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:AproposFixSave it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Open the C:\Antispyware\RKFiles folder * Locate and double-click the RKFILES.BAT to run this tool. * Sit back and wait until it has finished. * When it is finally finished a text file will open. * Save the contents of that text file.

N.B.: It should save by default to C:\Log.txt

Reboot back to Normal Mode.

Please post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder and the log from the RK scan.

Crustyoldbloke

Posted 23 November 2005 - 05:57 AM

As far as I can see, you only ran the Apropos fix, otherwise I would see the RK files log. The RK files log is hopefully negative.

Anyway................ Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye